Hi there,

More likely, they just compromise your relay in runtime.

Reflashing the boot firmware is theoretical, but due to the huge variation in the hardware running Tor, I am not convinced using such an exploit on vast numbers of computers is entirely practical. Since relays are up for months at a time in some cases, just a more subtle exploit is probably more successful, if I understand the capabilities of known attacks. This also reduces the likelihood of security researchers (who are naturally more accustomed to running and analysing Tor relays) discovering that an exploit has occurred and reverse engineering it to see how it works.

Besides, the Raspberry Pi runs various proprietary firmwares, with drivers naturally running in kernel space (the highest privilege level of the operating system). These are a backdoor. If we work from the various assumptions that you are making, it is probably better to run a VM of Debian without the nonfree repos, removing ssh access and closing as many ports as possible.

If you want a stateless computer, currently a good option might be a laptop supported in Coreboot (*without the management engine blob etc*), write protecting the flash chip, and running Tails or Tor ramdisk from a CD. I own an old Lenovo X200 and it works well.

A better way to increase diversity is to run VMs that have different operating systems on them. More BSD relays are good. OpenBSD is a good choice since they have reasonably up-to-date packages, if I remember correctly.

Long story short, moving everyone to vulnerable embedded systems (which are even more proprietary than Intel systems) is not the answer. I am not convinced it would benefit the Tor network. It may indeed reduce diversity, not to mention performance. Of course, more relays are good, but only in addition to the current network.

Hope this helps,
D

On 21 October 2016 13:08:24 BST, Dan Michaels <danmichaels8876@gmail.com> wrote:
The Tor Project website recommends various security setups for people running Tor relays.

Such as, don't run a web browser on the same machine as your Tor relay, otherwise the browser could get hacked, and then if Tor relays are hacked, it compromises the entire concept of Tor.

In the age of FBI mass hacking, the FBI will attempt to hack all Tor relays, and thus, they can trace traffic throughout the entire proxy chain.

According to NSA documents, all it takes is "one page load" to infect a browser, because they re-direct you to a fake website that hosts browser exploits, known as QUANTUM INSERT. The FBI will use this to take over all Tor relays that are running web browsers.

So, I have a suggestion that I would like Tor Project to recommend.

Tor Project needs to tell people.. use DUMB COMPUTING devices for running Tor relays.

If your computer gets hacked, it can be deeply exploited in the firmware, such as BIOS, GPU, WiFi chip, etc.

There are devices on the market, such as Raspberry Pi, or similar, which have NO WRITABLE FIRMWARE.

This is known as being "stateless".

It does not "hold state" across reboots.

All firmware/drivers are stored on the SD card on the Raspberry Pi, and only loaded in on boot time. No component on the entire Pi holds state. NONE. There will likely be other similar devices.

Therefore, it is truly possible to wipe a dumb computing device completely clean.

If you try to wipe a regular laptop or desktop, you may have all this deeply infected firmware, such as BIOS, so you keep getting re-infected upon startup.

Some people say, once deeply infected, it's near-impossible to clean it out, and you should just throw away your entire laptop and start again.

Everyone running a Tor relay should be told to use a DUMB COMPUTING DEVICE.

Another advantage is that these devices are often very cheap. Raspberry Pi is very cheap to buy. Other devices may be even cheaper.

The instructions should be as follows...

(1) Wipe your device clean, i.e. wipe clean the SD card which holds the OS + all firmware/drivers.

(2) Then, re-install the OS clean, install Tor, and set up the relay. 

(3) Tor should be installed from the command line or from a previously-downloaded version on USB stick. Do not install Tor using the web browser, otherwise you could get infected.

(4) Do not run anything else on the machine, other than the Tor relay. Using other programs, especially the web browser, could compromise the entire machine.

And that's it.

Tor Project should send out a message telling all people running Tor relays to follow these instructions.

Let me know what you think.



tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays